Not to be fixed
Created: Apr 27, 2016
Updated: Mar 6, 2019
Resolved Date: Feb 19, 2019
Found In Version: 8.0
Severity: Standard
Applicable for: Wind River Linux 8
Component/s: Userspace
mokutil --list-enrolled should display both grub hash and bzImage hash, but now it only displays the hash which be enrolled at the first time.
Both grub and bzImage could be loaded successfully after enroll hash values, so this is only the "–list-enrolled" command bug.
it is expected there are two [SHA-256],
root@localhost:~# mokutil --list-enrolled
[key 1]
[SHA-256]
b7d26ab95863f881fa9b125f7aa73e79bfeb400f45dc83db4679085475694f7c
[key 2]
SHA1 Fingerprint: a3:dd:51:e3:63:2e:2e:95:21:b0:06:a1:aa:80:ac:9b:51:57:67:11
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10266996426669974497 (0x8e7bb2da69de63e1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Wind River Linux Sample Vendor Certificate for SCP
1) /net/pek-gwptest1/buildarea1/wrlinux-8/wrlinux/configure --enable-board=intel-x86-64 --enable-kernel=standard --enable-rootfs=gwp-secure --enable-addons=wr-gateway --with-package=vim --enable-reconfig=yes
2) Make fs
3) Enroll by LockDown.efi and enable secure-boot on target
4) Copy unsigned grubx64.efi and unsigned bzImage to /boot/efi/
5) Reboot target and trigger the mokmanager
6) Enroll hash from bzImage(unsigned) and then continue boot
7) Enroll hash from grubx64.efi(unsigned) and then continue boot
8) After system is booted up, run “mokutil --list-enrolled” to check if two hash value are listed
